Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 682702 (CVE-2018-10372, CVE-2018-10373, CVE-2018-10534, CVE-2018-10535, CVE-2018-13033) - <sys-devel/binutils-2.31.1-r4: Multiple vulnerabilities
Summary: <sys-devel/binutils-2.31.1-r4: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-10372, CVE-2018-10373, CVE-2018-10534, CVE-2018-10535, CVE-2018-13033
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-06 17:30 UTC by Andreas K. Hüttel
Modified: 2019-08-03 11:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas K. Hüttel archtester gentoo-dev 2019-04-06 17:30:38 UTC
Moving vulns here from bug 661154 which are fixed in 2.31.1-r4


> > > > > CVE-2018-13033 (https://nvd.nist.gov/vuln/detail/CVE-2018-13033):
> > > > >   The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
> > > > > GNU
> > > > >   Binutils 2.30, allows remote attackers to cause a denial of service
> > > > >   (excessive memory allocation and application crash) via a crafted ELF file,
> > > > >   as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc
> > > > >   in libbfd.c. This can occur during execution of nm.
> > > > 
> > > > https://sourceware.org/bugzilla/show_bug.cgi?id=23361
> > > > "fixed with commit 95a6d235661"
> > > > * fixed for >=sys-devel/binutils-2.31.1
> > > > * cherry-picked for gentoo/binutils-2.30 branch


> > > > > CVE-2018-10535 (https://nvd.nist.gov/vuln/detail/CVE-2018-10535):
> > > > >   The ignore_section_sym function in elf.c in the Binary File Descriptor
> > > > > (BFD)
> > > > >   library (aka libbfd), as distributed in GNU Binutils 2.30, does not
> > > > > validate
> > > > >   the output_section pointer in the case of a symtab entry with a "SECTION"
> > > > >   type that has a "0" value, which allows remote attackers to cause a denial
> > > > >   of service (NULL pointer dereference and application crash) via a crafted
> > > > >   file, as demonstrated by objcopy.
> > > > 
> > > > Fixed in db0c309f4011ca94a4abc8458e27f3734dab92ac
> > > > * Fixed in >=sys-devel/binutils-2.31
> > > > * cherry-picked for the gentoo/binutils-2.30 branch


> > > > > CVE-2018-10534 (https://nvd.nist.gov/vuln/detail/CVE-2018-10534):
> > > > >   The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the
> > > > >   Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
> > > > >   Binutils 2.30, processes a negative Data Directory size with an unbounded
> > > > >   loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so
> > > > >   that the address exceeds its own memory region, resulting in an
> > > > >   out-of-bounds memory write, as demonstrated by objcopy copying private info
> > > > >   with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.
> > > > 
> > > > Fixed in aa4a8c2a2a67545e90c877162c53cc9de42dc8b4
> > > > * Fixed in >=sys-devel/binutils-2.31
> > > > * cherry-picked for the gentoo/binutils-2.30 branch


> > > > > CVE-2018-10373 (https://nvd.nist.gov/vuln/detail/CVE-2018-10373):
> > > > >   concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library
> > > > > (aka
> > > > >   libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to
> > > > >   cause a denial of service (NULL pointer dereference and application crash)
> > > > >   via a crafted binary file, as demonstrated by nm-new.
> > > > 
> > > > Fixed in 6327533b1fd29fa86f6bf34e61c332c010e3c689
> > > > * Fixed in >=sys-devel/binutils-2.31
> > > > * cherry-picked for the gentoo/binutils-2.30 branch


> > > > > CVE-2018-10372 (https://nvd.nist.gov/vuln/detail/CVE-2018-10372):
> > > > >   process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers
> > > > >   to cause a denial of service (heap-based buffer over-read and application
> > > > >   crash) via a crafted binary file, as demonstrated by readelf.
> > > > 
> > > > Fixed in 6aea08d9f3e3d6475a65454da488a0c51f5dc97d
> > > > * Fixed in >=sys-devel/binutils-2.31
> > > > * cherry-picked for the gentoo/binutils-2.30 branch
Comment 1 Larry the Git Cow gentoo-dev 2019-04-29 00:00:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=894e4f2719e94cdfbb639dbaffbcec1433d206bb

commit 894e4f2719e94cdfbb639dbaffbcec1433d206bb
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-04-28 23:58:37 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-04-28 23:58:37 +0000

    package.mask: Mask <sys-devel/binutils-2.31.1-r4 and friends
    
    Closes: https://bugs.gentoo.org/623566
    Bug: https://bugs.gentoo.org/676460
    Bug: https://bugs.gentoo.org/682702
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2019-04-29 00:01:40 UTC
All security-supported arches stabilized, all vulnerable ebuilds masked. 
No cleanup (toolchain). Security please proceed.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2019-06-03 05:31:39 UTC
(In reply to Andreas K. Hüttel from comment #2)
> All security-supported arches stabilized, all vulnerable ebuilds masked. 
> No cleanup (toolchain). Security please proceed.

Nothing to do for toolchain here anymore.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2019-08-03 11:24:07 UTC
This issue was resolved and addressed in
 GLSA 201908-01 at https://security.gentoo.org/glsa/201908-01
by GLSA coordinator Aaron Bauman (b-man).